governance and audit committeevtaorgcontent.s3-us-west-1.amazonaws.com/site_content/... · 2017. 5....
TRANSCRIPT
-
GOVERNANCE AND AUDIT COMMITTEE
Thursday, June 1, 2017
4:00 PM
Conference Room 157
County Government Center
70 West Hedding Street
San Jose, CA
AGENDA
CALL TO ORDER
1. ROLL CALL
2. PUBLIC PRESENTATIONS:
This portion of the agenda is reserved for persons desiring to address the Committee on any matter not on the agenda. Speakers are limited to 2 minutes. The law does not permit Committee action or extended discussion on any item not on the agenda except under special circumstances. If Committee action is requested, the matter can be placed on a subsequent agenda. All statements that require a response will be referred to staff for reply in writing.
3. ORDERS OF THE DAY
CONSENT AGENDA
4. ACTION ITEM - Approve the Regular Meeting Minutes of May 4, 2017.
5. ACTION ITEM -Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Trapeze OPS Pre-Implementation Review performed during Fiscal Year 2014.
6. ACTION ITEM -Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Public Safety Process Assessment performed during Fiscal Year 2014.
REGULAR AGENDA
7. ACTION ITEM -Review and receive the Auditor General's report on the Inventory and Assets Held at Outreach.
-
Santa Clara Valley Transportation Authority Governance and Audit Committee June 1, 2017
Page 2
8. ACTION ITEM -Review and receive the Auditor General's report on the Interagency Agreement Risk Assessment.
9. ACTION ITEM -Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Sheriff's Office Contract Compliance Internal Audit performed during Fiscal Year 2013.
10. ACTION ITEM -Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Operator Scheduling Assessment performed during Fiscal Year 2015.
11. INFORMATION ITEM -Receive an update from Auditor General Office staff on the status of projects contained in the current Internal Audit Work Plan.
12. DISCUSSION ITEM -Review and discuss the applications from individuals seeking to serve on the 2016 Measure B Citizens' Oversight Committee evaluated by the Board subcommittee.
OTHER ITEMS
13. Items of Concern and Referral to Administration.
14. Review Committee Work Plan. (Fernandez)
15. Committee Staff Report. (Fernandez)
16. Chairperson's Report. (Bruins)
17. Determine Items for the Consent Agenda for future VTA Board of Directors' meetings.
18. ANNOUNCEMENTS
19. ADJOURN
In accordance with the Americans with Disabilities Act (ADA) and Title VI of the Civil Rights Act of 1964, VTA will make reasonable arrangements to ensure meaningful access to its meetings for persons who have disabilities and for persons with limited English proficiency who need translation and interpretation services. Individuals requiring ADA accommodations should notify the Board Secretary’s Office at least 48-hours prior to the meeting. Individuals requiring language assistance should notify the Board Secretary’s Office at least 72-hours prior to the meeting. The Board Secretary may be contacted at (408) 321-5680 or [email protected] or (408) 321-2330 (TTY only). VTA’s home page is www.vta.org or visit us on www.facebook.com/scvta. (408) 321-2300: 中文 / Español / 日本語 / 한국어 / tiếng Việt / Tagalog.
Disclosure of Campaign Contributions to Board Members (Government Code Section 84308) In accordance with Government Code Section 84308, no VTA Board Member shall accept, solicit, or direct a contribution of more than $250 from any party, or his or her agent, or from any participant, or his or her agent, while a proceeding involving a license, permit, or other entitlement
-
Santa Clara Valley Transportation Authority Governance and Audit Committee June 1, 2017
Page 3
for use is pending before the agency. Any Board Member who has received a contribution within the preceding 12 months in an amount of more than $250 from a party or from any agent or participant shall disclose that fact on the record of the proceeding and shall not make, participate in making, or in any way attempt to use his or her official position to influence the decision. A party to a proceeding before VTA shall disclose on the record of the proceeding any contribution in an amount of more than $250 made within the preceding 12 months by the party, or his or her agent, to any Board Member. No party, or his or her agent, shall make a contribution of more than $250 to any Board Member during the proceeding and for three months following the date a final decision is rendered by the agency in the proceeding. The foregoing statements are limited in their entirety by the provisions of Section 84308 and parties are urged to consult with their own legal counsel regarding the requirements of the law.
All reports for items on the open meeting agenda are available for review in the Board Secretary’s Office, 3331 North First Street, San Jose, California, (408) 321-5680, the Monday, Tuesday, and Wednesday prior to the meeting. This information is available on VTA’s website at http://www.vta.org and also at the meeting.
NOTE: THE BOARD OF DIRECTORS MAY ACCEPT, REJECT OR MODIFY
ANY ACTION RECOMMENDED ON THIS AGENDA.
-
Governance and Audit Committee
Thursday, May 4, 2017
MINUTES
CALL TO ORDER
The Regular Meeting of the Governance and Audit Committee (“Committee”) was called to
order at 4:01 p.m. by Chairperson Bruins in Conference Room 157, County Government Center,
70 West Hedding, San Jose, California.
1. ROLL CALL
Attendee Name Title Status
Jeannie Bruins Chairperson Present
Cindy Chavez Member Present
Glenn Hendricks Member Present
Sam Liccardo Vice Chairperson Present
Teresa O'Neill Member Present
A quorum was present.
2. PUBLIC PRESENTATIONS:
There were no Public Presentations.
3. ORDERS OF THE DAY
Chairperson Bruins requested to hear items on the Regular Agenda, before Closed
Session until Vice Chairperson Liccardo's arrival.
M/S/C (Chavez/Hendricks) to accept the Orders of the Day.
RESULT:
MOVER:
SECONDER:
AYES:
NOES:
ABSENT:
APPROVED – Orders of the Day
Cindy Chavez, Member
Glenn Hendricks, Member
Bruins, Chavez, Hendricks, O’Neill
None
Liccardo
NOTE: M/S/C MEANS MOTION SECONDED AND CARRIED AND, UNLESS OTHERWISE INDICATED,
THE MOTION PASSED UNANIMOUSLY.
4
-
Governance and Audit Committee Minutes Page 2 of 5 May 4, 2017
CONSENT AGENDA
4. Regular Meeting Minutes of March 2, 2017
M/S/C (Chavez/Hendricks) to approve the Regular Meeting Minutes of March 2, 2017.
5. Amend the VTA Administrative Code to Establish the 2016 Measure B Citizens
Oversight Committee and Approve the Committee Bylaws
M/S/C (Chavez/Hendricks) to recommend that the VTA Board of Directors: (1) adopt a
resolution amending the VTA Administrative Code to establish the 2016 Measure B
Citizens’ Oversight Committee; and (2) approve the bylaws for that committee.
6. Ratification of Appointments to the Bicycle & Pedestrian Advisory Committee
M/S/C (Chavez/Hendricks) to ratify the appointments of: 1) Susan Cretekos, Town of
Los Altos Hills; 2) Carolyn Schimandle, City of Gilroy; and 3) Erik Lindskog, City of
Cupertino, to the Bicycle & Pedestrian Advisory Committee for the two-year term ending
June 30, 2018.
RESULT:
MOVER:
SECONDER:
AYES:
NOES:
ABSENT:
APPROVED – Consent Agenda Items #4 - #6
Cindy Chavez, Member
Glenn Hendricks, Member
Bruins, Chavez, Hendricks, O’Neill
None
Liccardo
The Agenda was taken out of order.
REGULAR AGENDA
10. Information Technology (IT) Development and Project Management Assessment
Pat Hagan, Auditor General's Office, provided the report, highlighting areas of concern
and Auditor General’s recommendations for consideration.
Gary Miskell, Chief Information Officer, provided an overview of Management’s Action
Plan, including efforts in the areas of agency-wide oversight, IT governance process,
change management process and controls, and project management and performance
monitoring.
Members of the Committee made the following comments: 1) asked about staff training
process, key performance indicators, and security as it relates to access control;
2) requested information on steering committee charter; 3) change management pre-roll
out could help inform post-roll out; 4) suggested “Project Management” might be better
referred to as “Program Management”; and 5) commended staff on a sound action plan.
4
-
Governance and Audit Committee Minutes Page 3 of 5 May 4, 2017
M/S/C (Chavez/O'Neill) to review and receive the Auditor General's report on the IT
Development and Project Management Assessment.
RESULT:
MOVER:
SECONDER:
AYES:
NOES:
ABSENT:
APPROVED – Agenda Item #10
Cindy Chavez, Member
Teresa O’Neill, Member
Bruins, Chavez, Hendricks, O’Neill
None
Liccardo
Vice Chairperson Liccardo arrived at the meeting and took his seat at 4:23 p.m.
11. Investment Program Controls Internal Audit -- FY 2017
M/S/C (Chavez/Hendricks) to review and receive the Auditor General's report on the
Investment Program Controls Internal Audit performed during Fiscal Year (FY) 2017.
RESULT:
MOVER:
SECONDER:
AYES:
NOES:
ABSENT:
APPROVED – Agenda Item #11
Cindy Chavez, Member
Glenn Hendricks, Member
Bruins, Chavez, Hendricks, Liccardo O’Neill
None
None
12. Review Status of Internal Audit Work Plan
On order of Chairperson Bruins and there being no objection, the Committee received
an update from Auditor General Office staff on the status of projects contained in the
current Internal Audit Work Plan.
7. Recess to Closed Session at 4:24 p.m.
A. THREAT TO PUBLIC SERVICES OR AGENCY INFORMATION
(Government Code Section 54957)
Consultation with Chief Information Officer, Gary Miskell
8. Reconvened to Open Session at 4:53 p.m.
9. Closed Session Report
Evelynn Tran, Deputy General Counsel, noted no reportable action was taken during
Closed Session.
4
-
Governance and Audit Committee Minutes Page 4 of 5 May 4, 2017
REGULAR AGENDA (continued)
13. Recommended FY 2018 & FY 2019 Internal Audit Work Plans
Bill Eggert, Auditor General, provided a brief overview of the proposed internal audit
work plan.
After a brief discussion, Members of the Committee provided direction to defer the Cyber
Security Assessment in the proposed FY 2018 Internal Audit Work Plan.
M/S/C (Liccardo/Chavez) to recommend Board approval of the Auditor General’s
recommended Internal Audit Work Plans for the next two fiscal years (FY) for a
maximum amount of $465,000 for FY 2018 and $465,000 for FY 2019.
RESULT:
MOVER:
SECONDER:
AYES:
NOES:
ABSENT:
APPROVED – Agenda Item #13
Sam Liccardo, Vice Chairperson
Cindy Chavez, Member
Bruins, Chavez, Hendricks, Liccardo O’Neill
None
None
OTHER ITEMS
14. Items of Concern and Referral to Administration
The Committee expressed appreciation to the Auditor General and staff for their
presentations.
15. Committee Work Plan
Nuria I. Fernandez, General Manager and CEO, provided a brief overview of the work
plan and noted the next Committee meeting is scheduled for June 1, 2017.
On order of Chairperson Bruins and there being no objection, the Committee reviewed
the Committee Work Plan.
16. Committee Staff Report
There was no Committee Staff Report.
17. Chairperson's Report
There was no Chairperson's Report.
4
-
Governance and Audit Committee Minutes Page 5 of 5 May 4, 2017
18. Determine Items for the Consent Agenda for future VTA Board of Directors'
Meetings
CONSENT:
Agenda Item #5., Recommend that the Board of Directors: (1) adopt a resolution
amending the VTA Administrative Code to establish the 2016 Measure B Citizens’
Oversight Committee; and (2) approve the bylaws for that committee.
Agenda Item #10., Review and receive the Auditor General's report on the IT
Development and Project Management Assessment.
Agenda Item #11., Review and receive the Auditor General's report on the Investment
Program Controls Internal Audit performed during Fiscal Year 2017.
REGULAR:
Agenda Item #13., Recommend Board approval of the Auditor General’s recommended
Internal Audit Work Plans for the next two fiscal years (FY) for a maximum amount of
$531,000 for FY 2018 and $465,000 for FY 2019.
19. ANNOUNCEMENTS
Ms. Fernandez announced VTA will co-host the Movers and Shakers bike ride with the
Silicon Valley Bicycle Coalition on Bike to Work Day on May 11, 2017. The bike ride
will begin at the Martin Luther King, Jr., Library in San Jose, and end at VTA's River
Oaks Administrative Offices via the Guadalupe River Trail.
20. ADJOURNMENT
On order of Chairperson Bruins and there being no objection, the Committee was
adjourned at 4:59 p.m.
Respectfully submitted,
Michelle Oblena, Board Assistant
VTA Office of the Board Secretary
4
-
Date: May 22, 2017Current Meeting: June 1, 2017Board Meeting: August 3, 2017
BOARD MEMORANDUM
TO: Santa Clara Valley Transportation AuthorityGovernance and Audit Committee
FROM: Auditor General, Bill Eggert
SUBJECT: Follow-Up on the Trapeze OPS Pre-Implementation Review
Policy-Related Action: No Government Code Section 84308 Applies: No
ACTION ITEM
RECOMMENDATION:
Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Trapeze OPS Pre-Implementation Review performed during Fiscal Year 2014.
BACKGROUND:
VTA’s Auditor General’s Office is responsible for conducting the internal audits specified in the Board-approved Internal Audit Work Plan. It is also responsible for determining the implementation status, adequacy and timeliness of corrective actions that VTA management committed to implement on reported observations and recommendations contained in these internal audits.
In Fiscal Year 2014, the Auditor General’s Office completed the Trapeze OPS Pre-Implementation Review. The primary objective of this project was to review VTA’s implementation plan for Trapeze OPS and provide recommendations to the project team to help ensure as integrated and seamless of a transition as possible by minimizing the occurrence and magnitude of transition errors, especially regarding time capture/payroll processing. To achieve this objective, we observed specific concerns and communicated these concerns real-time to the VTA project team. All recommendations were discussed and many were confirmed during fieldwork as having been remediated immediately by VTA.
Based on the work performed, an overall Medium level of potential opportunity for process improvement was issued, based on twelve identified areas of potential process improvement:
5
-
Page 2 of 3
eight judged as Low risk, and four judged as Medium risk.
5
-
Page 3 of 3
VTA management agreed with all Auditor General’s Office recommendations. It committed to implement all recommendations by the end of December 2014.
Recommendations of opportunities for improvement contained in that report were presented by the Auditor General for consideration by the VTA Board of Directors, Governance & Audit Committee and management, which are solely responsible for the effective implementation of any recommendation.
DISCUSSION:
In March and April 2017, the Auditor General’s Office completed its follow-up process to assess if the management action plans specified in the Trapeze OPS Pre-Implementation Review had been completed. The results of this follow-up, as well as a summary of the findings, recommendations and VTA management responses from the subject report, are included on Attachment A.
Based on the evidence submitted by VTA, we have confirmed that the recommendations have been successfully implemented.
FISCAL IMPACT:
There is no financial impact associated with acceptance of this report.
Prepared by: Lily Rogers, AG's Office and Stephen Flynn, Advisory Committee CoordinatorMemo No. 6130
ATTACHMENTS:
• A--Followup on Trapeze OPS Pre-Implementation (PDF)
5
-
# Observation Recommendation Management Response Recommendation Implementation Status
1 Change Requests Related to Trapeze OPS
VTA is currently relying on the vendor (Trapeze) to perform development functions and provide
implementation guidance, and as a result is minimizing the risk of improper coding through
Trapeze’s formal change management process. However, we observed that VTA is not following
its own change management procedures to update patches and releases in the test/training
environment once the developed portion of the system is ready to be released onto VTA’s
environment. The objective of the change management process is to ensure changes are
authorized, made in a timely manner, and occur with minimal errors. This process includes
tracking and approving standard changes and emergency maintenance relating to business
processes, applications and infrastructure.
VTA should also be consistent in following
formal change management procedures to
update patches and releases in the test/
training environment.
VTA agrees with the recommendation.
Change management procedures have been
implemented and are now in place for patches
and release updates in the test/training
environment.
Target Date: June 30, 2014
Auditor General's Office:
Status: Complete
VTA management has implemented change management procedures for updates and
releases in Trapeze. VTA utilizes 3 environments, including training, development, and
production, and ensures that all changes and updates to the final production database are
properly authorized.
2a Application Security - Segregation of Duties
Management plans for the Operations Systems Supervisor to grant user access rights. However,
the Operations Systems Supervisor also utilizes Trapeze OPS for other daily responsibilities,
thereby creating a potential segregation of duties conflict.
System/application administrator roles for
granting, modifying or removing access
should be limited to IT. Additionally, a proper
approval process should be followed that
ensures changes to roles and responsibilities
do not create conflicts.
VTA partially agrees with the
recommendation. Administration of user
security will be transitioned to Technology by
October 2014. The Operations Systems
Supervisor, who is the VTA expert in
determining appropriate user functions, will
continue to have access to user groups or
roles.
Target Date: October 31, 2014
Auditor General's Office:
Status: Complete
The Operations System Supervisor continues to have access to user groups and roles. The
administration of user security and system passwords has transitioned to Information
Technology. All Information Technology personnel have received training on user access
management.
2b Application Security - New User Access
Management is in process but has not yet completed updating their policy around issuance of
granting and removing access to Trapeze OPS. The user access change form has also not been
updated to include Trapeze OPS groups, workspaces and/or permissions.
Management should complete the previously
started user access policy (addressing
access administration, authorization for
adding users, modifications to user
permissions, removal of access, and periodic
access review) before going live of Trapeze
OPS. We also recommend that the existing
Create Modify User Account Form be revised
to incorporate Trapeze OPS groups and
permissions. Additionally, permission
modifications should be documented using
the revised Create Modify User Account Form
to ensure appropriate authorization is
obtained before changes are implemented.
Management should also require a
documented independent user access review
be conducted for Trapeze OPS on at least a
yearly basis. This review should include a
review of all user accounts to determine if the
account is still needed, appropriateness of
access levels, etc. The documentation
should include exceptions discovered and
corrected, impact of each exception, date and
who performed the review.
VTA agrees with the recommendation. User
request forms are in place. In addition, VTA
developed automated scripts that run daily to
monitor user account exceptions.
Target Date: June 30, 2014
Auditor General's Office:
Status: Complete
VTA Operations has put in place a User Access Form for all new Trapeze users and
changes to Trapeze access. User Access Form includes four workspaces for bidding,
timekeeping, dispatching, and workforce management. All User Access Forms require the
user's and manager's signatures before processing. Requests are reviewed, approved, and
processed by Operations. An automated email is generated when a Trapeze user is
separated from VTA that prompts a change in user access.
2c Application Security - Unique User Accounts
Per inspection of the Trapeze OPS user access listing on April 3, 2014, two users have more than
one user name. Also, there were eleven user names set up that do not follow the standard user
name naming convention of “Lastname_f”, where f = first initial. Ensuring that all users (internal,
external and temporary) and their activity on IT systems (business application, IT infrastructure,
system operations, development and maintenance) are uniquely identifiable will help confirm if
data access rights are in accordance with their business requirements.
Management should reset non-compliant
user names in order to adhere to the
standard user name convention in place.
Also, for users with multiple user names,
Management should disable additional
accounts unless there is a clear business
purpose or consider reviewing the user
access logs to ensure user activity is limited
to perform daily job functions.
VTA agrees with the recommendation and is
resetting and/or disabling non-complaint
accounts.
Target Date: June 30, 2014
Auditor General's Office:
Status: Complete
In July 2016 VTA deployed LDAP (Lightweight Directory Access Protocol), a software
protocol derived from the Windows Active Directory that does not allow duplication of
accounts. A Single Sign On approach has been adopted. Corrections were made to disable
additional accounts of users with multiple accounts as part of the LDAP deployment. At the
time of review, no individuals had more than one account.
June 1, 2017
Follow-up Report: Trapeze OPS Pre-Implementation Review
VTA Auditor General's Office
1 of 3
5.a
-
# Observation Recommendation Management Response Recommendation Implementation Status
2d Application Security - Password Policy
Per inspection of the Trapeze OPS password parameters on April 3, 2014, passwords are not
required to be changed at any time after initial setup.
Management should consider additional
configuration standards for password
policies/settings to enforce requirements for
strong passwords, including industry
standards such as:
Forced password change interval of 30 – 90
days
Minimum password length of 10 characters,
including letters, numbers, and requiring at
least one capital letter; including special
characters (e.g., &, *, !, etc…), will increase
complexity and greatly increase overall
password security
Require a rotation of at least three passwords
before a one can be reused
Management should consider adding a
session timeout for the application, to help
prevent unauthorized access. Session
timeouts could vary depending on the job
function being performed.
VTA agrees with the recommendation and will
implement a password management policy
similar to that used for other VTA systems by
October 31, 2014.
Target Date: October 31, 2014
Auditor General's Office:
Status: Complete
Information Technology created a Trapeze password policy similar to the standard VTA
password policy, which included a forced password change interval of 120 days, a
requirement to use at least one letter and number, and a requirement that passwords be
different from the previous 3 passwords used. The July 2016 deployment of the LDAP
software protocol forces application password policies to be in line with standard VTA
password policies. Network passwords are now used to log in to Trapeze products.
2e Application Security - Security Groups
Two users under the same job role will initially have identical permissions, however, further unique
permissions can be assigned to an individual user and create challenges in the monitoring
process of user access rights.
Management should avoid authorization of
individual permission changes and promote
the use of standard group assignments
based on job
roles/responsibilities, where reasonably
feasible.
VTA agrees with the recommendation.
Standard group assignments are in place.
Target Date: June 30, 2014
Auditor General's Office:
Status: Complete
VTA has implemented standard workspaces which govern user access. Users are assigned
to a workspace for bidding, timekeeping, dispatching, or workforce management, all of which
have standard group assignments and access levels. Users are further divided into specific
user groups within these workspaces in order to standardize user access according to user
role.
3 User Acceptance Testing (UAT) Process for Customized Functions - Dispatch and
Workforce Management Testing
Per review over testing plans including test cases and tester approval on April 3, 2014, the tester
did not include reports, screenshots, or other documents to demonstrate the support used to
determine whether the test passed or failed. Management maintains a log with tester approval
signoffs, however, formal documentation demonstrating IT and/or Project Manager approval was
not provided.
Management should retain support used to
determine a test passing or failing.
VTA agrees with the recommendation and
implemented the recommended approach
during the testing phase of the project.
Target Date: June 30, 2014
Auditor General's Office:
Status: Complete
VTA now maintains a status log of all test scripts which details the script number,
description, testing status (pass/fail), additional comments, and the test script status. All
support related to testing status is retained.
4a Processing Integrity Review Process - SAP Employee and Vehicle Maintenance - Imported
Data
We noted inconsistencies such as informal checkpoints and incomplete reconciliations of data
elements in the method of verifying data and/or transactions transmitted was accurate, complete
and valid.
In addition, we noted inconsistencies in the tracking and logging of test results and any associated
resolution.
A formal reconciliation process should be
designed to facilitate the complete and
accurate processing of information. A formal
reconciliation process should also be
established to include formal validations of
the imported or exported data, such as
confirmation through matching number
counts of selected records or field attributes.
VTA should identify, log and classify (e.g.,
minor, significant and mission-critical) errors
during testing, and repeat tests until all
significant errors have been resolved. VTA
should also ensure that an audit trail of test
results is maintained.
VTA agrees with the recommendation and
implemented the recommended approach
during the testing phase of the project.
Regular monitoring of interface data by the
System Administrators is in place.
Target Date: June 30, 2014
Auditor General's Office:
Status: Complete
VTA has reconciled the information uploaded to Trapeze to the source data in SAP and has
verified that all information is processed accurately. VTA works to identify and solve any
errors as they arise. Systems Administrators regularly monitor data in SAP and Trapeze to
ensure validity.
4b Processing Integrity Review Process - System Integration - Bidding, Dispatch &
Timekeeping
We observed that UAT testing included various test scenarios and scripts, and focused on
accuracy as well as error resolution. However, daily, monthly and annual process streams and
data transmissions were not being formally tested for completeness and accuracy as of our field
work date (April 3, 2014).
A formal reconciliation process be designed
to ensure that information processing
considers daily, monthly and annual
processes and that information processing is
valid, complete, and accurate.
A formal reconciliation process should be
established to include formal validations of
the imported and exported data.
An exception threshold be agreed upon by
the VTA project team, such that error rates
exceeding 2% would be escalated for more
immediate remediation.
The System Administrators regularly monitor
the interface data. In addition, a formal
reconciliation of timekeeping data is
conducted every pay period.
Target Date: June 30, 2014
Auditor General's Office:
Status: Complete
VTA users can generate a weekly timekeeping summary of their hours worked and pay code
by day. Timekeeping summary reports can also be generated for a division/employee type
for a given time period. Payroll provides feedback and relays errors in individual timekeeping
each pay period.
2 of 3
5.a
-
# Observation Recommendation Management Response Recommendation Implementation Status
4c Processing Integrity Review Process - System Integration Review - Workforce Management
Per discussion with VTA during the week of 03/31/14, integrated testing has not begun since
historical data from VAP was recently converted into Trapeze OPS and undergoing testing. In
addition, there are several customization work orders still outstanding from the Trapeze vendor.
These multiple factors combined lead to greater potential to disrupt the implementation project.
However, we also acknowledge that VTA has considered alternative plans prior to going live.
VTA should determine an updated timeline
with the Trapeze vendor and hold the vendor
accountable to the set dates for remaining
customization delivery (such as a fee penalty
if not met) in order to allow time for testing.
Another option is to postpone implementation
of the Trapeze OPS -Workforce Management
module until all customizations are complete
and tested thoroughly; however, it has been
determined by the VTA project team that the
projected risk associated with this finding
would not warrant a delay in go-live.
VTA postponed implementation of the VAP
(VTA Attendance Program) module of
Trapeze OPS. VTA is currently testing this
module. The anticipated implementation of
the VAP module will be completed by the end
of 2014.
Target Date: December 31, 2014
Auditor General's Office:
Status: Complete
The VAP module of Trapeze OPS was initially delayed and is currently partially
implemented. Implementation is nearing completion and is scheduled to be completed by
the end of Fiscal Year 2017.
4d Processing Integrity Review Process - SAP Employee Data & Vehicle Maintenance
Transmission
VTA currently utilizes the Open Database Connectivity (ODBC) interface to automatically transmit
employee HR information (such as vacation and sick day balances) and vehicle maintenance
information from the SAP system to Trapeze OPS. We observed that there are no automated
alerts to notify if any records may be rejected or otherwise excluded during the automated
transmission process.
An alert notification feature or reporting
feature should be implemented to confirm all
records transmitted from SAP match the
records received into Trapeze OPS. This
would ensure that appropriate management
or system administrators are notified of any
records not successfully transmitted so that
the instance(s) could be investigated and
resolved timely.
VTA agrees with the recommendation.
Automated alerts notifying Systems
Administrators are now in place.
Target Date: June 30, 2014
Auditor General's Office:
Status: Complete
VTA has implemented automated alerts related to errors in all interfaces. Any record error
will result in an automated alert sent to the database administrator for investigation.
5 Data Conversion Procedures
Per review over Historical Data Load Specifications, the data to be migrated consists of BDT data
and VAP data. During our review, Management provided email correspondence between
business owners and the project team stating VTA will no longer load BDT historical data into
Trapeze OPS, however, the Historical Data Load Specifications had not been updated to reflect
the significant change.
Management should consider formally
documenting the removal of BDT from the
scope of the data migration process and
business owners’ approval of the VAP data
fields.
VTA agrees with the recommendation.
Removal of BDT data migration scope was
documented while VAP data fields were
identified and approved by business process
owners.
Target Date: June 30, 2014
Auditor General's Office:
Status: Complete
VTA has not loaded historical BDT data into Trapeze and has directed Trapeze to cancel the
historical load. BDT data was formally removed from the scope of the data migration
process.
3 of 3
5.a
-
Date: May 22, 2017Current Meeting: June 1, 2017Board Meeting: August 3, 2017
BOARD MEMORANDUM
TO: Santa Clara Valley Transportation AuthorityGovernance and Audit Committee
FROM: Auditor General, Bill Eggert
SUBJECT: Follow-Up on the Public Safety Process Assessment
Policy-Related Action: No Government Code Section 84308 Applies: No
ACTION ITEM
RECOMMENDATION:
Review and receive the Auditor General's follow-up report on the implementation status of management's action plans contained in the Public Safety Process Assessment performed during Fiscal Year 2014.
BACKGROUND:
VTA’s Auditor General’s Office is responsible for conducting the internal audits specified in the Board-approved Internal Audit Work Plan. It is also responsible for determining the implementation status, adequacy and timeliness of corrective actions that VTA management committed to implement on reported observations and recommendations contained in these internal audits.
During Fiscal Year 2016, the Auditor General’s Office completed the Public Safety Process Assessment. The primary objective of this review was to obtain an understanding of VTA’s Public Safety processes, validate our understanding of the processes through both documentation review and inspection and physical observation of in-place processes, and identify opportunities for process improvements.
Based on the work performed, an overall Low level of potential opportunity for process improvement was issued, based on five identified areas of potential process improvement: two judged as Medium potential, and three judged as Low.
VTA management agreed with all Auditor General’s Office recommendations. It committed to
6
-
Page 2 of 3
implement all recommendations by the end of June 2016.
6
-
Page 3 of 3
Recommendations of opportunities for improvement contained in that report were presented by the Auditor General for consideration by the VTA Board of Directors, Governance & Audit Committee and management, which are solely responsible for the effective implementation of any recommendation.
DISCUSSION:
In April and May 2017, the Auditor General’s Office completed its follow-up process to assess if the management action plans specified in the Public Safety Assessment had been completed. The results of this follow-up, as well as a summary of the findings, recommendations and VTA management responses from the subject report, are included on Attachment A.
Based on the evidence submitted by VTA, we have confirmed that the recommendations have been successfully implemented.
FISCAL IMPACT:
There is no financial impact associated with acceptance of this report.
Prepared by: Lily Rogers, AG's Office and Stephen Flynn, Advisory Committee CoordinatorMemo No. 6131
ATTACHMENTS:
• A--Followup on Public Safety Process Assessment (PDF)
6
-
VTA Auditor General's Office
# Observation Recommendation Management Response Recommendation Implementation Status
1.1 Security Staffing Levels and Capabilities:
The number of special events that VTA provides additional service to has increased significantly since the opening of both
Levi’s and Avaya Stadiums. Special events require additional security to ensure public safety due to increased ridership
and the nature of crowds at select special events. In its current state, VTA may not have the optimal level of security staff
or the right mix of security staff to adequately address increasing security concerns.
VTA utilizes three unique types of safety and security forces – law enforcement, Allied Barton (AB) security contractors,
and fare inspectors. Each group has unique responsibilities and capabilities within the organization. AB is seen as a force
multiplier who can detain, but their capabilities are limited because they cannot arrest or Mirandize. Therefore, many
responsibilities are shifted back to Transit Patrol that is staff by Santa Clara County Sheriff’s deputies. Fare Inspectors
provide a presence on light rail and the platforms/stations along the light rail line. They also act as a deterrent because
they identify potential security risks through fare inspection, however they do not have ability to run ID checks.
In order to mitigate security concerns and to mitigate the risk of public safety issues, VTA creates an operations plan that
includes procedures to mitigate risk. The operational plan takes into account expected attendance, the specific nature of
the event and associated patrons, and other factors to develop the plan and determine security staffing levels needed.
Additional staffing is comprised of Transit Patrol Sheriff’s deputies and AB security contractors.
We noted that Transit Patrol staffing levels have recently been increasing when four additional deputies were hired to
implement a third shift. However, 2015 Transit Patrol staffing levels are still below 1995 levels. While VTA now uses a
significant number of AB security contractors, there is a difference in capability and mission.
Transit Patrol staffing levels have not kept pace with the general expansion of VTA services. Current staffing
requirements stretch staffing levels in a suboptimal manner. Security staff may be performing duties that are better suited
for other members of VTA’s Protective Services to compensate for staff shortages. With future services planned, such as
the BART SV Extension service implementation, VTA may find it difficult to provide necessary security without additional
security forces.
VTA should evaluate existing staffing levels
and capabilities of law enforcement, private
security, and fare inspectors in conjunction
with projected needs for BART SV service
implementation and ongoing special events,
to identify what VTA’s ideal staffing levels
would be to meet the Board’s strategic
vision for public safety and accomplishing
operating priorities on an ongoing,
sustainable basis. VTA should also consider
all types of resources that could be utilized
(i.e., sheriff technicians in lieu of fare
inspectors, since fare inspectors cannot run
ID checks and execute law-enforcement
tasks, this results in Sheriff’s Office staff
being taken away from primary
responsibilities).
VTA management concurs with the
recommendation. VTA will evaluate staffing
levels and capabilities of law enforcement,
private security and fare enforcement personnel
with projected needs for BART SV service
implementation and ongoing special events to
identify VTA’s ideal staffing levels insuring that
we are meeting the Board’s strategic vision for
public safety and accomplishing operating
priorities. VTA management will also consider the
best and most efficient use of resources to insure
best use of staff available.
Responsible Party: Manager of Protective
Services Programs
Target Date: June 1, 2016
Auditor General's Office:
Status: Complete
VTA management has evaluated existing staffing levels and the need for
additional staff. Protective Services has amended the County of Santa
Clara Sheriff's Office contract to allow for additional resources. In addition,
Protective Services constantly evaluates staffing to allow the best and
most efficient use of resources.
1.2 Security Staffing Levels and Capabilities:
1.2 AB is contracted to monitor and manage the Closed Circuit Television (CCTV) control room. AB security contractors
who monitor the control room have specialized technical skills as outlined in the contract. One benefit to contracting out
CCTV control room monitoring is the number of AB resources with technical CCTV expertise.
One concern is that VTA does not have a staff member from the Sheriff’s Office or a VTA employee managing the CCTV
room. The use of video footage is an important and sensitive aspect of law enforcement that must be managed properly.
It is very important that an accurate chain of custody be maintained for data which could be requested for evidentiary
reasons. VTA management of the CCTV control room could also provide stronger controls to prevent video footage leaks.
VTA should formally evaluate the costs and
benefits of contracting out CCTV control
room management. Based on discussions
with members of Protective Services, it is
clear that there are benefits to using a VTA
employee to manage the CCTV control
room.
VTA management concurs with the
recommendation. VTA will evaluate the costs
and benefits of staffing the CCTV control room
with VTA personnel.
Responsible Party: Director of Safety and
Security
Target Date: December 31, 2015
Auditor General's Office:
Status: Complete
Protective Services has evaluated the costs and benefits of staffing the
CCTV control room with VTA personnel. At the time of review, budget
constraints do not allow for complete VTA management of the CCTV
room. Staff coverage of the CCTV room has been expanded to include
coverage from 0600 to 0200 hours and VTA is exploring the possibility of
staffing two officers during peak hours. In addition, there is a designated
"on-call CCTV officer" for major incidents which occur over the weekend.
1.3 Security Staffing Levels and Capabilities:
1.3 AB security contractor training is a key requirement of the contract between VTA and AB. VTA’s annual audit of the
AB contract includes significant testing of training compliance which highlights the importance that VTA places on utilizing
well-trained security contractors. While AB security contractors undergo extensive training, they are not required to have
Crisis Intervention Training (CIT) that is focused on helping law enforcement to appropriately react in situations involving
mental health or developmental disability to prevent unnecessary escalation. This is currently a requirement for Transit
Patrol as part of the Sheriff’s Office training. CIT training is another example of differences in security capability. It also
highlights the need to evaluate that the right mix of security forces are used.
Additionally, AB security contractors do not undergo formal Implicit Bias (IB) training or Customer Service (CS) training.
Implicit Bias training reinforces to officers the importance of not allowing personal biases influence their decision-making in
situations. Also, though many AB security contractors are known to have received some sort of CS training in the past,
there is no uniform training which all have received.
VTA should evaluate the costs and benefit
of requiring Allied Barton security
contractors to receive CIT training to ensure
its security presence has the adequate skills
to effectively de-escalate and manage
potential crises.
VTA should also consider the costs and
benefit around both IB and CS training.
Such training can enhance the AB security
contractors’ ability to fairly work with
passengers, especially in tense or
controversial situations.
VTA may also benefit by considering the
feasibility of AB contractors participating with
other law enforcement agencies’ CIT, IB,
and CS training to save on costs.
VTA management concurs with the
recommendation. VTA will evaluate the costs
and benefit of requiring Allied Barton security
contractors to receive CIT, IB, and CS training.
Responsible Party: Manager of Protective
Services Programs
Target Date: December 31, 2015
Auditor General's Office:
Status: Complete
At the time of review, Allied Universal (formerly Allied Barton) security
contractors are required to receive CIT training focused on de-escalation
and nonviolent crisis intervention. Protective Services provided detail
reports showing mandatory security contractor training provided to all
Allied Universal employees. In addition, security contractors will receive
additional training on mental health, first response, and de-escalation if
they display poor judgment.
June 1, 2017
Follow-up Report: Public Safety Process Assessment
VTA Auditor General's Office
1 of 3
6.a
-
# Observation Recommendation Management Response Recommendation Implementation Status
1.4 Security Staffing Levels and Capabilities:
1.4 The CCTV control room is staffed during business hours by AB security contractors. They monitor television monitors,
review previously taped footage, and pull requested footage if necessary. The CCTV control room is currently not staffed
on nights and weekends. If footage of events is requested on weekends or at night, then a member of VTA will need to
respond to the request.
VTA should evaluate whether 24/7 staffing
of the CCTV control room would be
beneficial. Considerations should include
the cost of staffing, other supplementary
work that could be performed by security
staff working on weekends and nights, and
the overall benefit to have real time
monitoring and resources to pull video
footage immediately when requested.
VTA management concurs with the
recommendation. VTA will evaluate the costs
and benefit of 24/7 staffing of the CCTV control
room.
Responsible Party: Manager of Protective
Services Programs
Target Date: December 31, 2015
Auditor General's Office:
Status: Complete
Protective Services has evaluated the costs and benefits of 24/7 staffing
of the CCTV control room. Budget constraints do not allow for 24/7
staffing, however, staff coverage of the CCTV room has been expanded
to include coverage from 0600 to 0200 hours. In addition, there is a
designated "on-call CCTV officer" for major incidents which occur over the
weekend.
2.1 IndustrySafe Reporting and Audit Module Functionality:
2.1 Operator incident reporting is manually entered into IndustrySafe, a web-based product used to record, track and
identify safety trouble areas. This manual process entails paper forms, supervisor review, transfer to the Protective
Services office, and data entry by an administrator. Through inquiry it was revealed that there is a backlog of incident
reports that have not been entered into the IndustrySafe system. While we were informed that incidents of greater
severity were entered into the system, other incident reports would not be visible if a query was run. The backlog of
incident reports limits the value of analysis and reporting from IndustrySafe.
VTA should devote resources to eliminate
the backlog of incident reports. VTA should
also evaluate the manual nature of incident
reporting. Process improvements that
allow or encourage operators to enter
incidents directly into IndustrySafe should be
explored. We understand that incident
reports need to be reviewed by a Supervisor
and there are issues with providing tablets
or computer access to operators, but
exploring automation opportunities could
greatly enhance the speed with which
reports are entered into IndustrySafe and
available for analysis and reporting.
VTA management concurs with the
recommendation. VTA will devote resources to
eliminate the backlog of incident reports. VTA will
also evaluate the manual nature of incident
reporting and will explore automation.
Responsible Party: Manager of Protective
Services Programs
Target Date: March 31, 2016
Auditor General's Office:
Status: Complete
Protective Services will explore possible automation opportunities related
to incident reports as the expiration date for the current contract
approaches. At the time of review, the backlog of incident reports has
been eliminated. Protective Services is working with operators to clarify
the incident reporting process and the information required to be
submitted with each report.
2.2 IndustrySafe Reporting and Audit Module Functionality:
2.2 Incident reporting out of IndustrySafe is inadequate to provide relevant and meaningful reporting in an efficient
manner. Through inquiry and observation it was evident that Protective Services had limited ability to generate
IndustrySafe reports that could be used for analysis or reporting to management. Observation revealed that standard
reports were not available. Key administrative staff could generate data dumps in Excel but would then need to use filters
to generate meaningful information.
This was not the case for Sheriff’s Office security metrics or fare inspector data. Both the Sheriff’s Office application and
the fare inspector’s application (FEATS) have adequate reporting capabilities to provide data used for management
reporting and operational decision making. Through inspection of reports, we were able to see statistics for fare evasion,
total ridership, and total passengers checked. The Sheriff’s monthly incident report included meaningful information on
individual events.
Further discussion with the Director, System Safety and Security and the Principal Safety Auditor, revealed that
IndustrySafe training gaps and limited sharing of best practices across departments may be responsible for Protective
Services’ inability to generate meaningful reporting. With recent organizational realignment, the System Safety and
Security Division obtained ownership of IndustrySafe and has plans to enhance training and disseminate best practices.
VTA should evaluate IndustrySafe reporting
to determine if it has sufficient incident
reporting capabilities. If it does not, VTA
should consider other reporting options such
as Crystal reports. If IndustrySafe does
have sufficient reporting capabilities, then
VTA should evaluate whether the application
has effectively been rolled out to all
departments and whether additional training
should be provided to ensure all users are
aware of and employing the full functionality
of the application.
VTA management concurs with the
recommendation. VTA will evaluate Industrysafe
and determine it capabilities in the area of
security related incident tracking, reporting and
forecasting.
Responsible Party: Director of Safety and
Security, Manager of Protective Services
Programs, and Principal Safety Auditor
Target Date: June 30, 2016
Auditor General's Office:
Status: Complete
Protective Services has evaluated the use of IndustrySafe and its incident
tracking and reporting capabilities and has determined that reporting
capabilities are adequate. Additional online training webinars, as well as
VTA specific business process documents and guidance, are available to
VTA personnel and have been rolled out to all departments.
2.3 IndustrySafe Reporting and Audit Module Functionality:
2.3 VTA undergoes significant third party audits and reviews by both state and federal agencies that include significant
security and safety components. VTA also conducts a number of internal audits designed to monitor the effectiveness of
processes/controls as well as comply with third party requirements. Because of the volume of audits required, and the
need for administration and monitoring, VTA should be commended for their oversight of the audit process. However, it
may be beneficial if some audit administration and monitoring tasks were automated.
Through inquiry with System Safety and Security’s Principal Safety Auditor, it was revealed that IndustrySafe includes an
audit module that assists in automating audit administration and monitoring. Because the Principal Safety Auditor is a
newly instituted position, there has not
been time to fully investigate the audit module functionality. The Principal Safety Auditor will oversee safety audits while
the divisions’ Senior Management Analyst will continue to oversee security audits.
Both the Senior Management Analyst and the Principal Safety Auditor use schedules to monitor the calendar of audits. An
annual report is completed for the internal audit process every February, which provides a road map for audit planning and
completion. In addition, the Senior Management Analyst maintains a monthly Corrective Action Plan report that tracks
issues identified by an audit and the efforts to correct those issues. These procedures are primarily manual and tracked
through spreadsheets and MS Word documents.
We recommend evaluating the IndustrySafe
audit module to determine if it provides
additional functionality that improves the
operational efficiency of audit monitoring
through automating processes.
VTA management concurs with the
recommendation. VTA will evaluate Industrysafe
and determine its capabilities in the area of audit
functionality.
Responsible Party: Director of Safety and
Security, Manager of Protective Services
Programs, and Principal Safety Auditor
Target Date: June 30, 2016
Auditor General's Office:
Status: Complete
IndustrySafe does not currently have a dedicated audit module. Protective
Services and other VTA personnel use a number of standard IndustrySafe
reports which are included as part of the web-based reporting tool.
Protective Services will continue to evaluate IndustrySafe and its reporting
capabilities .
2 of 3
6.a
-
# Observation Recommendation Management Response Recommendation Implementation Status
3.1 Jurisdictional Responsibilities and Mutual Protocol Agreements:
3.1 VTA’s jurisdictional responsibilities are complex because of its large service area and operating providing bus and light
rail services across Santa Clara county and the fifteen municipalities therein. VTA services also overlap with regional rail
services, such as Caltrain, that create additional complexity. As a result, defining jurisdictional responsibilities for security
related events is critical for effective and efficient incident response.
In 2011, a mutual protocol agreement was executed between the San Jose Police Department and the Santa Clara
County Office of the Sheriff. A section of the agreement defined jurisdictional responsibilities for VTA related incidents. An
updated agreement is in the process of being drafted. The execution of a mutual protocol agreement between the Sheriff’s
Office and the city of San Jose increases cooperation by clarifying law enforcement responsibilities.
With the impending implementation of BART SV service, VTA is drafting an Operations & Maintenance (O&M) Companion
Agreement to the existing BART/VTA Comprehensive Agreement will include a section to define jurisdictional
responsibility between BART police and VTA security.
It was also determined that jurisdictional cooperation with other municipalities is predicated on the experience and working
relationships that Transit Patrol has established. However no formal process has been implemented to evaluate whether
mutual protocol agreements with other municipalities should be pursued.
Because of the complexity of providing
transit security along the VTA footprint, we
recommend evaluating whether a process to
periodically assess the need for mutual
protocol agreements is necessary. The
mutual protocol agreement with the city of
San Jose is intuitive because 95% of calls
occur within San Jose, but there should be a
process to determine if mutual protocol
agreements with other municipalities should
be pursued.
A process that includes periodic
assessments provide a mechanism to
monitor changing demographics, as well as
the VTA footprint, to ensure that mutual
protocol agreements are pursued with high
value municipalities.
Another approach is consideration of
whether an educational document that
defines VTA security responsibilities could
be created and communicated to other law
enforcement agencies.
VTA management concurs with the
recommendation. VTA will evaluate the mutual
protocol agreements with overlapping
municipalities and/or feasibility of an educational
document that defines VTA security
responsibilities which could be communicated to
other law enforcement agencies. Further, VTA
will develop a procedure for periodic review of
changing demographics and population within the
VTA footprint.
Auditor General's Office:
Status: Complete
In April 2016 VTA entered into a mutual protocol agreement with the San
Jose Police Department in order to maintain the previous agreement
guidelines and clarify the responsibilities of both parties and the
responses to VTA property, facilities and vehicles. VTA monitors
demographics on a yearly basis and continually explores the need for
mutual protocol agreements with other municipalities.
4.1 Bart Go Live - Security Considerations:
The BART extension has the potential to create jurisdictional ambiguity between different transit and law enforcement
agencies. BART and VTA are drafting an O&M agreement to address some of these issues. Although the agreement has
not been executed, it calls for BART police to patrol the trains and VTA to provide security on platforms and station
facilities.
To enhance jurisdictional cooperation, VTA would like to establish a community policing center near the Berryessa station.
The value of a community policing center would be to establish a more consistent security presence in the area, enhance
cross-training opportunities and provide a venue for greater cooperation between different law enforcement agencies who
could use the center.
VTA should evaluate the costs and benefits
of a community policing station by assessing
best practice security approaches used at
other BART stations.
VTA management concurs with the
recommendation. VTA will evaluate benefits of a
community policing station by assessing best
practice security approaches used at other BART
stations.
Responsible Party: Manager of Protective
Services Programs; Director of Safety and
Security and Captain Lera
Target Date: June 30, 2016
Auditor General's Office:
Status: Complete
In preparation for the expansion of BART into Silicon Valley, VTA is
exploring memorandums of understanding with BART Police and the City
of Milpitas to define the responsibilities of each party. Under the proposed
agreement, BART Police will be responsible for all incidents inside BART
with VTA being responsible for all incidents outside BART. The BART
agreement is currently being finalized.
4.2 Bart Go Live - Security Considerations:
4.2 The BART extension will include extensive CCTV monitoring. BART security will monitor CCTV on trains and VTA
security will monitor CCTV on station platforms and parking lots. Each entity will own and managed security footage
recorded on their CCTV cameras.
CCTV is a powerful tool to record security events as well as deter potential security incidences. CCTV data/footage
sharing between BART and VTA is being discussed and the framework will be included in the O&M Companion
Agreement being developed.
Through review of VTA Policy OGC-PL-1001, Records Management, and its accompanying Attachment 1 – Retention
Schedule and discussion with VTA’s Director, System Safety and Security, it was noted that CCTV records are included
within the scope of the Policy and that the policy appears both reasonable and in compliance with Government Code
34090.8 and Assembly Bill 839. Further, as the Policy is intended to apply system-wide, it will continue to apply to all new
environments after BART go-live, in conjunction with parameters set forth within the O&M Companion Agreement.
Accordingly, it appears that no changes need be made to the policy to afford additional accommodations in light of the
forthcoming BART service.
VTA should evaluate CCTV recording
options and work with BART to share CCTV
recording data.
VTA management concurs with the
recommendation. VTA will evaluate CCTV
recording options and work with BART to share
CCTV recording data.
Responsible Party: Manager of Protective
Services Programs; Director of Safety and
Security and Captain Lera
Target Date: June 30, 2016
Auditor General's Office:
Status: Complete
VTA is in the process of installing fiber cables to allow for video review at
the River Oaks facility. Only one agency will record specific incidents, and
each agency will record video related to their own area of jurisdiction. The
expansion of BART into Silicon Valley will be managed using best practice
security practices used at other BART stations and coded into the O&M
Companion Agreement.
5.1 Calls for Service - Operational Responsibilities:
5.1 “911” calls go to the Sheriff’s Office or local police dispatch. Calls on light rail station platform blue phones go to the
Sheriff’s Office dispatch. Calls from bus or light rail operators are routed to OCC who then contacts Transit Patrol if there
is a high risk security concern. The Sheriff’s Office also has access to monitor OCC calls and would likely know about an
incident before the OCC contacted them.
VTAlerts, a phone/tablet application, is another tool that allows VTA customers and others to report problems through their
phone or tablet. VTAlerts is monitored by AB, who will respond and, if necessary, escalate higher risk incidents to law
enforcement.
It was revealed that the OCC does not have personnel that specifically manage incoming calls related to security issues.
Although security response times have not
been an issue, VTA should evaluate the
service call process to determine if
response times should be tracked and
reported.
Additionally, VTA should evaluate the
service call process to determine if the OCC
should have a dedicated personnel to
manage incoming security calls.
VTA management concurs with the
recommendation. VTA will evaluate the service
call process to determine if response times
should be tracked and reported. Further VTA will
evaluate the feasibility of having dedicated
security personnel in OCC to manage incoming
security related calls.
Responsible Party: Manager of Protective
Services Programs; Director of Safety and
Security and Captain Lera
Target Date: June 30, 2016
Auditor General's Office:
Status: Complete
Protective Services tracks incident response times as part of the service
call process. In addition, VTA has amended their current contract to allow
for additional staffing and more public safety resources at dedicated
locations such as light rail platforms and vehicles. These additional
resources have helped VTA to better manage incoming security calls.
3 of 3
6.a
-
Date: May 25, 2017Current Meeting: June 1, 2017Board Meeting: August 3, 2017
BOARD MEMORANDUM
TO: Santa Clara Valley Transportation AuthorityGovernance and Audit Committee
FROM: Auditor General, Bill Eggert
SUBJECT: Inventory and Assets Held at Outreach
Policy-Related Action: No Government Code Section 84308 Applies: No
ACTION ITEM
RECOMMENDATION:
Review and receive the Auditor General's report on the Inventory and Assets Held at Outreach.
BACKGROUND:
Since 1993, VTA has contracted with Outreach & Escort, Inc. (Outreach) to provide ADA Paratransit brokerage services.
During 2015 and 2016, as part of the Board-approved FY15 Internal Audit Work Plan, the Auditor General completed a Paratransit Operations Assessment that identified several high-risk findings, including VTA’s lack of access to paratransit source data and the Auditor General’s inability to verify the trip information provided by Outreach.
Based on the report, the VTA Board exercised the one-year notice of contract cancellation provision with Outreach, while concurrently initiating the competitive procurement process for replacement paratransit services.
In March 2017, as part of the transition and contract cancellation process, the Board approved this additional review to validate inventory and assets held by Outreach due to the importance of understanding which items VTA had ownership rights to.
7
-
Page 2 of 2
DISCUSSION:
The objective of this review was to verify and physically observe a sample of high-dollar assets and inventory, determine the VTA funding sources for assets and inventory held at Outreach’s locations, assess VTA’s ownership rights to the assets and inventory, and determine whether those items should be returned to VTA at the conclusion of the paratransit services contract.
The Auditor General encountered several limitations during this review, including lack of responsiveness and proper documents from Outreach, denial of access to Outreach’s premises, litigation filed by VTA and by Outreach, and a Federal Bureau of Investigation execution of a search warrant on the Outreach headquarters.
An overall report rating of High was assigned to help management understand our assessment of controls related to assets and inventory financed or purchased with VTA funds. This was based on two observation categories: both judged as High risk. Our recommendations addressed the following areas: (1) VTA’s ability to identify and monitor assets, and (2) Outreach’s lack of adequate record keeping and contract compliance.
VTA management agreed with all Auditor General’s Office recommendations. It committed to implement all but one recommendations by the end of 2017, with the remaining one, which concerns VTA pursuing physical control and ownership of all relevant assets or reimbursement thereof, is projected to require until the end of 2018.
Recommendations of opportunities for improvement contained in this report were presented by the Auditor General for consideration of VTA management, which is responsible for the effective implementation of any action plans.
FISCAL IMPACT:
There is no financial impact associated with acceptance of this report.
Prepared by: Lily Rogers, AG's Office & Stephen Flynn, Advisory Committee CoordinatorMemo No. 5979
ATTACHMENTS:
• A--Outreach Inventory & Assets (PDF)
7
-
Inventory and Assets Held by Outreach and Escort, Inc.
Auditor General Report No. 2017-04
May 09, 2017
7.a
-
Inventory and Assets Held by Outreach Auditor General Report Issued: May 4, 2017
2 © 2017 RSM US LLP. All Rights Reserved.
EXECUTIVE SUMMARY
ON THIS REVIEW;
Overall Rating (See Appendix A for definitions)
Report Rating
Number of Observations by Risk Rating
High Medium Low
Inventory and Assets Held by Outreach
High 2 0 0
Background
Since 1993, VTA contracted with Outreach & Escort, Inc. (Outreach) to
provide ADA Paratransit brokerage services. In FY16, the Auditor General
completed a Paratransit Operations Assessment that identified high-risk
finding, including VTA’s lack of access to paratransit source data and the
AG’s inability to verify the trip information provided by Outreach. Based on
the report, the VTA Board exercised the one-year notice of contract
cancellation provision with Outreach, while concurrently initiating the
competitive procurement process for replacement paratransit services.
In March 2017, as part of the transition and contract cancellation process, the
Board approved this additional review to validate inventory and assets held
by Outreach because of the importance of understanding the assets and
inventory held by Outreach to which VTA had ownership rights.
This review was performed in accordance with the Standards for Consulting
Services issued by the American Institute of Certified Public Accountants.
This report is intended for use by VTA’s Board of Directors, Governance &
Audit Committee, and management. Recommendations for improvement are
presented for management’s consideration, and management is responsible
for the effective implementation of corrective action plans.
Objective and Scope
The Auditor General’s Office performed fieldwork from November 2016
through March 2017, with the following objectives:
Verify and physically observe a sample of high-dollar assets and
inventory
Determine the VTA funding source for assets and inventory held at
Outreach’s locations (VTA funds and/or grant proceeds)
Assess VTA’s ownership rights to the assets and inventory, or
whether assets or inventory held by Outreach should be returned to
VTA at the conclusion of the paratransit services contract
Overall Summary and Review Highlights
The AG encountered several scope limitations during this review, including:
Lack of responsiveness and proper documents from Outreach to our
various requests
Denial of access to Outreach’s premises (although notice was
provided in accordance with the Contract terms)
Litigation filed by VTA and a counter-suit by Outreach, which delayed
access to requested records.
A Federal Bureau of Investigation execution of a search warrant on
the Outreach headquarters.
We were able to perform limited testing and verify certain fixed assets.
In addition, where necessary, we developed alternative audit procedures to
attempt to accomplish the established objectives. However, due to the above
limitations, we were not able to conclude whether Outreach had adequately
accounted for fixed assets or inventory purchased with VTA funds or grant
proceeds provided by VTA.
An overall report rating of High was assigned to help management
understand our assessment of controls related to assets and inventory
financed or purchased with VTA funds.
We would like to thank those who assisted us throughout this review.
Questions should be addressed to Bill Eggert in the VTA Auditor General’s
Office at [email protected].
7.a
mailto:[email protected]
-
Inventory and Assets Held by Outreach Auditor General Report Issued: May 4, 2017
3 © 2017 RSM US LLP. All Rights Reserved.
OBSERVATIONS SUMMARY
Following is a summary of observations noted in the areas reviewed.
Definitions of the observation rating scale are included in Appendix A.
Ratings by Observation
Observation Title Rating
1. VTA’S ABILITY TO IDENTIFY AND MONITOR ASSETS
High
2. OUTREACH’S LACK OF ADEQUATE RECORD KEEPING AND CONTRACT COMPLIANCE High
7.a
-
Inventory and Assets Held by Outreach Auditor General Report Issued: May 4, 2017
4 © 2017 RSM US LLP. All Rights Reserved.
DETAILED OBSERVATIONS
1. VTA’s Ability to Identify and Monitor Assets
Observation: VTA experienced challenges in identifying all Outreach fixed assets, due to lack of adequate records received from Outreach.
Recommendation: VTA develop a process to verify the sources of funding and ownership of assets for future Paratransit contracts.
Management’s Action Plan
Observation Rating: High
1.1 The Outreach Paratransit Services contract required that VTA be provided at the end of each fiscal year an updated list of inventoried VTA property, including disposed items (section 13.2).
Outreach provided these reports on occasion, but not on a regular basis, as required by the Contract. VTA did not have an effective process to monitor the receipt of the required monthly asset listings. VTA also did not exercise any of the Audit clauses in the Contract to periodically inspect the assets or financial records on-site at Outreach. A current Asset Register would allow VTA to verify:
Completeness and accuracy of items to which VTA has a contractual claim
Proper categorization as paratransit related
Disposal of assets no longer in use
1.1 For future agreements with third party Paratransit vendors, we recommend that VTA develop a process or utilize a system to tag specific assets and periodically exercise contractual audit rights to physically inspect and validate assets reported. By implementing such a process, VTA can better mitigate Paratransit vendor risk and protect ownership rights to assets funded by VTA.
The system or fixed assets register should contain adequate information to validate funding sources and ownership. Such documentation could include:
Unique identifying information, such as serial numbers
Expected useful life
Journal entries
Invoices and purchase support
Service contracts
Other asset documentation
1.1 Management agrees with the recommendation. The recently established Regional Transportation Services (RTS) department will be responsible for managing the process to ensure accurate asset information is provided to VTA both regularly and in a timely fashion. It will also ensure that all qualifying assets receive VTA assets tags and are appropriately recorded in VTA’s existing fixed asset inventory database. Staff will also monitor assets, as well as perform random asset audits and verifications.
Responsible Party: RTS, in conjunction with
Financial Accounting
Target Date: 12/31/2017
7.a
-
Inventory and Assets Held by Outreach Auditor General Report Issued: May 4, 2017
5 © 2017 RSM US LLP. All Rights Reserved.
1. VTA’s Ability to Identify and Monitor Assets
Observation: VTA experienced challenges in identifying all Outreach fixed assets, due to lack of adequate records received from Outreach.
Recommendation: VTA develop a process to verify the sources of funding and ownership of assets for future Paratransit contracts.
Management’s Action Plan
1.2 VTA entered into multiple Cooperative Agreements with Outreach for grants funds, including the FTA’s “Veterans Transportation and Community Living Initiative” (VTCLI) and “Lifeline Transportation Program” (LTP) programs. Reimbursed expenses under the Agreements frequently included purchases of fixed assets and other equipment inventory that was not formally reported by Outreach or tracked centrally by VTA.
1.2 We recommend that Grants Management develop and implement enhanced procedures to monitor funds passed through to third parties, in compliance with applicable Cooperative Agreements.
1.2 VTA agrees. This issue was identified by the Federal Transit Administration (FTA) in VTA’s 2014 Triennial Review. In response, VTA developed standard terms and conditions to be included in all third party agreements, which were fully implemented by early 2015. VTA’s agreements with Outreach reviewed by the Auditor General were executed prior to development of these standard terms and conditions. VTA also intends to develop improved protocols to monitor funding provided to third-party recipients.
Responsible Party: Programming, Grants and
Administration Department
Target Date: 12/31/2017
7.a
-
Inventory and Assets Held by Outreach Auditor General Report Issued: May 4, 2017
6 © 2017 RSM US LLP. All Rights Reserved.
2. Outreach’s Lack of Adequate Record Keeping and Contract Compliance
Observation: Outreach did not provide all requested financial and other supporting records, and as a result, we were unable to independently verify and inspect certain assets.
Recommendation: We recommend that VTA enhance its processes for paratransit service-related recordkeeping and assets monitoring.
Management’s Response and Action Plan:
Observation Rating: High
2.1 The AG developed an alternative audit procedure since there was no Fixed Assets Register available. We compiled a list of assets from Paratransit and grants invoices sent to VTA between 2012 and 2015. The asset compilation did not include all assets to which VTA may have an ownership claim. Asset Verification - We selected 53 assets and physically observed 45 assets valued at $166,000. These assets included server equipment, GPS units, phones, work stations, desks, computer monitors, chairs and other office equipment. The remaining eight (8) assets with an invoice value of $44,000 were not located by Outreach during our onsite visit, nor identified afterwards.
2.1 To date, Outreach has not provided or returned any asset types to VTA. We recommend that VTA continue to pursue physical control and ownership of all relevant computer, fleet, furniture, and other assets. In addition, we recommend that VTA consider pursuing reimbursement of costs or a claim for the assets to which VTA has ownership rights.
2.1 Management agrees. VTA will continue pursuing physical control and ownership of all relevant assets or reimbursement thereof, including through legal remedies as necessary, as is reasonably prudent.
Responsible Party: RTS, in collaboration with
General Counsel’s Office
Target Date: 12/31/2018
2.2 Fleet Observation – VTA Operations provided an inventory of 302 fleet vehicles used for paratransit operations. We physically verified the existence of 301 vehicles. We were informed that the remaining one vehicle might have been in a repair shop. However, we also identified an additional 32 vehicles on VTA and County property that were not included on the VTA’s Fleet Register.
2.2 We recommend that VTA update the Fleet Register to include all fleet vehicles, whether active or decommissioned, and physically verify the fleet on a periodic basis.
2.2 Management agrees with the recommendation. The RTS department will update the Fleet Register to include all vehicles, both active and decommissioned. In addition, it will physically verify the existence and location of all fleet vehicles on a periodic basis.
Responsible Party: RTS
Target Date: 09/30/2017
7.a
-
Inventory and Assets Held by Outreach Auditor General Report Issued: May 4, 2017
7 © 2017 RSM US LLP. All Rights Reserved.
2. Outreach’s Lack of Adequate Record Keeping and Contract Compliance
2.3 Computers - We were informed by Outreach that certain computers stored offsite might still contain paratransit clients’ Personally Identifiable Information (PII). We were not able to verify this due to lack of access to the facilities. However, this would not comply with VTA’s policy to scrub any equipment of PII before disposal.
2.3 We recommend that VTA develop a process to determine whether off-site or non-used computers and equipment held by the vendor should be tested or evaluated by other means to ensure that all Personally Identifiable Information (PII) has been appropriately removed.
2.3 VTA agrees with the concept. However, the Outreach computers and servers are all password protected and therefore without the administrator rights to the equipment we cannot evaluate the content on the equipment. Once VTA take physical control of the computer equipment the devices can be reformatted and rebuilt to be redeployed as any VTA asset. Following VTA’s existing computer equipment decommissioning procedure, all data is wiped from any system or piece of equipment prior to being scrapped or sold.
Responsible Party: RTS, in collaboration with
the Information Technology department
Target Date: Immediate and on-going implementation as VTA is given access to the assets
7.a
-
Inventory and Assets Held by Outreach Auditor General Report Issued: May 4, 2017
8 © 2017 RSM US LLP. All Rights Reserved.
APPENDIX A—RATING DEFINITIONS
Observation Risk Rating Definitions
Report Rating Definitions
Rating Definition Rating Explanation
Low
Process improvements exist but are not an immediate priority for VTA. Taking advantage of these opportunities would be considered best practice for VTA.
Low
Adequate internal controls are in place and operating effectively. Few, if any, improvements in the internal control structure are required. Observation should be limited to only low risk observations identified or moderate observations which are not pervasive in nature.
Medium
Process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception. This opportunity should be considered in the near term.
Medium
Certain internal controls are either:
Not in place or are not operating effectively, which in the aggregate, represent a significant lack of control in one or more of the areas within the scope of the review.
Several moderate control weaknesses in one process, or a combination of high and moderate weaknesses which collectively are not pervasive.
High
Significant process improvement opportunities exist to help VTA meet or improve its goals, meet or improve its internal control structure, and further protect its brand or public perception presents. This opportunity should be addressed immediately.
High
Fundamental internal controls are not in place or operating effectively for substantial areas within the scope of the review. Systemic business risks exist which have the potential to create situations that could significantly impact the control environment.
Significant/several con